The healthcare IT headlines have been screaming about the lapses and dysfunction of information security. With the reported data breach at UPMC, the reported breach at Cottage Health System last year, the news from Healthcare IT News that “Nashville, TN based Cogent Healthcare also recently reported an incident when a site the organization was using to store patient data had its firewall down, that exposed the PHI of approximately 32,000 patients and the attack recently at Boston Children’s Hospital’s reportedly by the group known as Anonymous, brought to the forefront, the need for a better defense strategy of healthcare’s security infrastructure, protocol & policies across the spectrum.
How many provider CEOs, CIOs, CFOs and VPs of Medical Records think about their organization’s plans for organizational continuity if they should have to defend against hackers or update their infrastructure? H.ow many know of the ability to wipe data off a remote tablet or device? The physicians all want these lighter, “easier to use” devices that can help put in their clinical notes faster and allow them to see their 30 to 40 patients (depending on the physician) a day without lugging around the heavy laptop all day.
I’m sure that not many had really thought about a renowned hacker group trying to hack into and access the medical records of a children’s hospital (until now). I’m quite sure that when sitting in a board room and discussing the investment of time & organizational resources to defend against these possible situations, while it has been taken with the utmost seriousness, the prevailing thinking is “this won’t happen to us” attitude.
Well, it can and it will in this new, cyber age. In Healthcare IT News article, it mentioned Verizon reported that the majority of data breaches were from the theft or loss of unencrypted devices. Do we need to take healthcare information encryption to a whole new level?
In addition, is two factor authentication enough or do we need to start thinking about multi-factor authentication? When deploying the infrastructure for a healthcare provider in our region we focused on tap badges and deployment of tap badge readers versus fingerprint scans as part of the two factor (something you have, e.g. a badge and something you know, e.g. a password) authentication stipulated by the Ohio Board of Pharmacy requirement. Maybe the time is appropriate to think about a 3rd factor (something that the user is and add their finger print or retina scan…yes, I know, we’re getting into sci-fi realm here). All this will take time to finally get implemented and as costs of security and defense of systems mounts, so will the costs associated with our healthcare. Ohio for instance has probably spent close to a billion dollars taking into account all of the healthcare providers in the state and their implementations over the last few years of EHR and the supporting infrastructure to run it appropriately. This investment will take years to achieve the ROI. Imagine if we need to now, start thinking about further securing our healthcare information and needing new standards for that? Will this kill any push towards the cloud?
While organizations like Microsoft thought this through and are primed for this wave when they acquired Phone Factor in 2012, this latest wave of breaches, penalties and attacks on healthcare infrastructure will surely make more than a few to sit up and take notice, not only about the opportunity to improve in an insightful and cost effective way, but continue to prioritize patient safety through security. With HIPAA notification requirements having become more stringent as of the fall of 2013, care delivery organizations should seriously plan dress rehearsals or “fire drills” to prepare for a new age of information defense. Where’s an “ethical hacker” when you need one?